SAN FRANCISCO, CA - In the wake of a devastating supply chain attack in the npm registry that left millions of enterprise applications compromised and billions of user records exposed, developers across the JavaScript ecosystem expressed deep sorrow today, lamenting that such a crisis was completely unavoidable.
“It’s a shame, but what can you do? This is just the price of building modern web apps,” said Senior Frontend Engineer Mark Vance, echoing the sentiments of a community that completely relies on a 40-level-deep nested tree of unvetted packages maintained by pseudonymous strangers to capitalize a single string. “There’s absolutely no way to foresee or prevent someone from taking over a long-abandoned utility package and injecting a crypto-miner into every production build in the world. It’s just an act of nature.”
what would be a possible alternative?
going directly to repos of e.g. tanstack?
The simplest fix is a delay between an update being pushed and the update being deployed everywhere. Several orgs are scanning all popular dependencies for supply chain attacks and they usually catch them quickly, just not quickly enough when there is no delay.
Vet certain versions of packages, and use those whenever you can, also for subdependencies. Effectively create ‘stable’ versions of packages that are guaranteed safe to use.
Yes, it’ll be a ton of extra work, but that’s the price for security.
it works for c libs…
And this is one of the reasons C is not more popular. C is not a model for modern programming.
I don’t know why it wouldn’t. This is the model Go uses, their package registry is just a glorified index of code repositories.
C is not that popular nowadays because most devs don’t want to deal with the tradeoffs, most importantly memory handling and management.